PKCS12KeyStoreUnlimited

From PDP/Grid Wiki
Revision as of 10:20, 19 August 2010 by Wvengen@nikhef.nl (talk | contribs) (initial version)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Cryptography in Java is subject to cryptographic strength restrictions to comply to laws that exist or existed in the world. While this might be safe in some cases, in practice it has been quite troublesome in areas where these laws do not apply. And since other platforms than Java have no such restrictions, it is perceived as a nuisance most of the time.

One such restriction is that importing/exporting PKCS#12 files can not have a password of more than seven characters. As grid certificates usually have longer passwords (and this is strongly advised to users), software like JGridstart needs to get around this.

To be able to use strong cryptography it is possible to follow a couple of routes:

  • Have the user install the JCE unlimited strength jurisdiction policy files. This is the way usually recommended, but as it is a little cumbersome and requires administrative rights to do so, it is not desirable.
  • Make the application "exempt" using a policy file (not implemented for Sun, not found for BouncyCastle provider)
  • When using the BouncyCastle library for cryptography, bypass the Java security architecture and use the BouncyCastle API directly. Documentation is a little sparse, and I haven't got round to that.
  • Use the PKCS12KeyStoreUnlimited workaround that bypasses the Java security restrictions as explained below.

PKCS12KeyStoreUnlimited

To tackle this problem, it is possible to bypass the Java cryptography restrictions by using its introspection capabilities. PKCS12KeyStoreUnlimited does exactly that for the case of accessing a PKCS#12 keystore. Although it is a bit of a hack, it has been tested on a variety of configurations without problems; please see the Javadoc documentation below for more details.

Javadoc Source code